On Fri, Aug 17, 2012 at 09:43:43PM +0200, Sven Schnelle wrote: > Greg KH <greg@xxxxxxxxx> writes: > > > On Fri, Aug 17, 2012 at 08:07:11PM +0200, Sven Schnelle wrote: > >> If a device specifies zero endpoints in its interface descriptor, > >> the kernel oops's with the following output: > >> > >> Aug 17 19:32:37 deprecated kernel: [ 103.785466] cdc_acm 1-5:1.0:usb_probe_interface > >> Aug 17 19:32:37 deprecated kernel: [ 103.785474] cdc_acm 1-5:1.0:usb_probe_interface - got id > >> Aug 17 19:32:37 deprecated kernel: [ 103.785480] cdc_acm 1-5:1.0:This device cannot do calls on its own. It is not a modem. > >> Aug 17 19:32:37 deprecated kernel: [ 103.785491] BUG: unable to > >> handle kernel NULL pointer dereference at 00000004 > >> [..] > >> diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c > >> index 56d6bf6..cfffb3d 100644 > >> --- a/drivers/usb/class/cdc-acm.c > >> +++ b/drivers/usb/class/cdc-acm.c > >> @@ -1111,6 +1111,8 @@ skip_normal_probe: > >> epread = &data_interface->cur_altsetting->endpoint[0].desc; > >> epwrite = &data_interface->cur_altsetting->endpoint[1].desc; > >> > >> + if (!epctrl || !epread || !epwrite) > >> + return -EINVAL; > > > > How about we check the number of endpoints _before_ dereferencing them? > > > > That would seem to be the correct fix here, instead of relying on the > > fact that those arrays are NULL at the moment. > > Sorry, my fault. Something like this?: > > Author: Sven Schnelle <svens@xxxxxxxxxxxxxx> > Date: Fri Aug 17 19:54:34 2012 +0200 > > CDC ACM: Fix NULL pointer dereference > > If a device specifies zero endpoints in its interface descriptor, > the kernel oopses in acm_probe(). Even though that's clearly an > invalid descriptor, we should test wether we have all endpoints. > This is especially bad as this oops can be triggered by just > plugging a USB device in. > > Signed-off-by: Sven Schnelle <svens@xxxxxxxxxxxxxx> > > diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c > index 56d6bf6..f763ed7 100644 > --- a/drivers/usb/class/cdc-acm.c > +++ b/drivers/usb/class/cdc-acm.c > @@ -1104,7 +1104,8 @@ skip_normal_probe: > } > > > - if (data_interface->cur_altsetting->desc.bNumEndpoints < 2) > + if (data_interface->cur_altsetting->desc.bNumEndpoints < 2 || > + control_interface->cur_altsetting->desc.bNumEndpoints == 0) That's better, does this fix the problem in your testing? greg k-h -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
